1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijacked and getting worse

Discussion in 'Virus & Other Malware Removal' started by Wizardraz, Dec 5, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Wizardraz

    Wizardraz Thread Starter

    Joined:
    Dec 5, 2008
    Messages:
    21
    I'm pretty sure my Toshiba Satellite laptop (Windows XP, has Spybot and Symantec AV) has been hijacked by some hidden malware. It has started wreaking havoc on it. First it was keeping my internet uploading and downloading in the background. And now it won't allow my firewall to startup or give me access to the web through any browser.
    I know other apps can access the web because I've updated Spybot and Symantec to try to clean this mess, but that has only partially helped.
    The following is my Hijack this log. I'm hoping you can point my in the right direction on how to clean this. Hope to hear from you soon.

    Thank you
    Wizard Raz, Miami, Florida

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:14:00 PM, on 12/5/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\Toshiba\Tvs\TvsTray.exe
    C:\WINDOWS\system32\ZoomingHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\TCtrlIOHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE
    C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: (no name) - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE"
    O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe"
    O4 - HKLM\..\Run: [CTFeatureModeUtility] C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
    O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    O20 - AppInit_DLLs: C:\WINDOWS\System32\eapsvc32.dll
    O20 - Winlogon Notify: c45ff7c6509 - C:\WINDOWS\System32\eapsvc32.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    --
    End of file - 9596 bytes
     
  2. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    Please download Malwarebytes Anti-Malware from Here or Here
    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick Scan, then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply with a fresh Hijackthis log too.
    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.
     
  3. Wizardraz

    Wizardraz Thread Starter

    Joined:
    Dec 5, 2008
    Messages:
    21
    Thank you for the reply. I did as you instructed and below is the first the malware log followed by a new hijackthis log. Let me know what I should do next.

    Malwarebytes' Anti-Malware 1.31
    Database version: 1467
    Windows 5.1.2600 Service Pack 3
    12/7/2008 1:11:01 AM
    mbam-log-2008-12-07 (01-11-01).txt
    Scan type: Quick Scan
    Objects scanned: 56333
    Time elapsed: 5 minute(s), 4 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 23
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_CLASSES_ROOT\Interface\{1a86d7dc-d241-4136-af64-c5d241a07651} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{7a3dc573-7005-4a24-bb29-8aa47294391e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ef3446e8-fc32-4e55-9c56-0b8da015fc10} (Adware.XP_Entertainments) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{029e02f0-a0e5-4b19-b958-7bf2db29fb13} (Adware.AdGoblin) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695bc-a811-4a9d-8cdf-ba8c795f261e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a4a435cf-3583-11d4-91bd-0048546a1450} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2680e10-1655-4a0e-87f8-4259325a84b7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e9306072-417e-43e3-81d5-369490beef7c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271} (Adware.AdBreak) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} (Adware.AdBlaster) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{51641ef3-8a7a-4d84-8659-b0911e947cc8} (Adware.AdBlaster) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e9147a0a-a866-4214-b47c-da821891240f} (Adware.AdBlaster) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{54645654-2225-4455-44a1-9f4543d34546} (Trojan.Clicker) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0} (Adware.Aconti) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3} (Adware.7Search) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c4ca6559-2cf1-48b6-96b2-8340a06fd129} (Adware.AdBar) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca1d1b05-9c66-11d5-a009-000103c1e50b} (Adware.4Arcade) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d8efadf1-9009-11d6-8c73-608c5dc19089} (Adware.AccessPlugin) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{53c330d6-a4ab-419b-b45d-fd4411c1fef4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bb936323-19fa-4521-ba29-eca6a121bc78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000012-890e-4aac-afd9-eff6954a34dd} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\qiawpbjj.msdn_hlp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\fuamfu32.ini (Malware.Trace) -> Quarantined and deleted successfully.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:20:45 AM, on 12/7/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\Toshiba\Tvs\TvsTray.exe
    C:\WINDOWS\system32\ZoomingHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\TCtrlIOHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE
    C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: (no name) - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE"
    O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe"
    O4 - HKLM\..\Run: [CTFeatureModeUtility] C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
    O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    O20 - AppInit_DLLs: C:\WINDOWS\System32\eapsvc32.dll
    O20 - Winlogon Notify: c45ff7c6509 - C:\WINDOWS\System32\eapsvc32.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    --
    End of file - 9754 bytes
     
  4. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please download DDS and save it to your desktop.
    • Disable any script blocking protection
    • Double click dds.scr to run the tool.
    • When done, DDS.txt will open.
    • Click Yes at the next prompt for Optional Scan.
    • Save both reports to your desktop.
    ---------------------------------------------------

    Please include the contents of the following in your next reply:

    DDS.txt

    Attach the following report to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.

    Attach.txt
     
  5. Wizardraz

    Wizardraz Thread Starter

    Joined:
    Dec 5, 2008
    Messages:
    21
    Below is the DDS.txt log. One thing I'm not sure is if I disabled any script blocking. Aside from any in the internet tools settings, not sure if there are any other software that my do this. I can always do this again if you something seems awry. Just need a little direction how to disable them.

    Let me know if there is anything else I need to do.

    Thank you.


    DDS (Version 1.0) - NTFSx86
    Run by Erasmo at 11:50:00.82 on Sun 12/07/2008
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.460 [GMT -5:00]
    ============== Running Processes ===============
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\Toshiba\Tvs\TvsTray.exe
    C:\WINDOWS\system32\ZoomingHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\TCtrlIOHook.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Documents and Settings\Erasmo\Desktop\dds.scr
    ============== Pseudo HJT Report ===============
    uStart Page = hxxp://www.espn.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
    uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
    mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
    mRun: [TOSHIBA Accessibility] c:\program files\toshiba\accessibility\FnKeyHook.exe
    mRun: [TPSMain] TPSMain.exe
    mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
    mRun: [ZoomingHook] ZoomingHook.exe
    mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
    mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [TCtryIOHook] TCtrlIOHook.exe
    mRun: [TFncKy] TFncKy.exe
    mRun: [CTHelper] CTHELPER.EXE
    mRun: [CTDVDDET] "c:\program files\creative\sound blaster audigy 2\dvdaudio\CTDVDDET.EXE"
    mRun: [CTSysVol] "c:\program files\creative\sound blaster audigy 2\surround mixer\CTSysVol.exe"
    mRun: [CTFeatureModeUtility] c:\program files\creative\sound blaster audigy 2\feature mode utility\CTModUtl.exe
    mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
    mRun: [Zone Labs Client] "c:\program files\ca\etrust ez armor\etrust ez firewall\ca.exe"
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_01\bin\npjpi150_01.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: c45ff7c6509 - c:\windows\system32\eapsvc32.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    AppInit_DLLs: c:\windows\system32\eapsvc32.dll
    ============= SERVICES / DRIVERS ===============
    R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
    R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-13 271792]
    R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2007-5-29 192104]
    R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2007-5-29 169576]
    R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2007-10-7 1822648]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-20 99376]
    R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081203.004\naveng.sys [2008-12-4 89104]
    R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081203.004\navex15.sys [2008-12-4 876112]
    S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2007-9-25 22136]
    S3 CTMSFSYN;Creative SoundFont Synth;c:\windows\system32\drivers\ctmsfsyn.sys [2005-1-31 159104]
    S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2007-10-7 116664]
    S4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
    =============== Created Last 30 ================
    2008-12-07 00:59 <DIR> --d----- c:\docume~1\erasmo\applic~1\Malwarebytes
    2008-12-07 00:58 15,504 a------- c:\windows\system32\drivers\mbam.sys
    2008-12-07 00:58 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2008-12-07 00:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2008-12-07 00:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2008-12-04 00:05 4,516 a------- c:\windows\GnuHashes.ini
    2008-12-04 00:04 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
    2008-12-04 00:04 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
    2008-12-04 00:04 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
    2008-12-04 00:04 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
    2008-12-03 23:52 1,698 a--sh--- c:\windows\system32\GroupPolicy000.dat
    2008-12-03 23:52 <DIR> --dsh--- c:\windows\system32\GroupPolicyManifest
    2008-12-03 23:52 135,168 a------- c:\windows\system32\eapsvc32.dll
    2008-11-13 13:10 <DIR> --d----- c:\program files\MSXML 4.0
    2008-11-13 12:37 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
    2008-11-13 12:37 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
    ==================== Find3M ====================
    2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
    2008-10-01 11:59 32,768 a------- c:\documents and settings\erasmo\WebVpnRegKey4-vpn3k2-herald-com.dll
    2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
    2008-09-18 22:43 32,768 a------- c:\documents and settings\erasmo\WebVpnRegKey4-vpn3k1-herald-com.dll
    2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
    2008-09-09 20:14 1,307,648 -------- c:\windows\system32\msxml6.dll
    2008-08-17 15:22 251 a------- c:\program files\wt3d.ini
    2008-08-28 07:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat
    2008-08-28 07:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
    ============= FINISH: 11:51:11.98 ===============
     

    Attached Files:

  6. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    The following looks suspicious

    You have a file i would like you to get anaylzed. Please go to VirusTotal. On the very top of the Website, you will see a Browse button. Use that to search for this file c:\windows\system32\eapsvc32.dll. Then Click on Send. This could take between 30 Second-a couple of minutes. When you get the Results, Open Notepad, please highlight the results, copy them to Notepad and save it as "Scan.txt". Save the text file "Scan.txt" to your desktop. Please include the file in your next post.
     
  7. Wizardraz

    Wizardraz Thread Starter

    Joined:
    Dec 5, 2008
    Messages:
    21
    Went to virustotal and did as you instructed.
    Not sure if you wanted me to paste the text from scan.txt or attach it, so I did both.

    File has already been analysed:
    MD5: 8f888332700f39ccb90ceb0c35c9ebd8
    First received: 12.02.2008 21:02:03 (CET)
    Date: 12.05.2008 21:46:50 (CET) [>2D]
    Results: 25/38
    Permalink: analisis/4daaed99d5344e35258a2fb6237d3c22

    Let me know if something is missing.
    And if there is anything else I need to do.
    Thanks for all your help. Its been very easy to follow your instructions.
    Not counting my chickens before they hatch, but you've great.
     

    Attached Files:

    • Scan.txt
      File size:
      229 bytes
      Views:
      2
  8. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it.
    • Place a check mark next to zip file when moved.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :processes
      explorer
      :files
      c:\windows\system32\eapsvc32.dll
      :reg
      [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
      "AppInit_DLLS"=""
      [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c45ff7c6509]
      :commands
      [emptytemp]
      [start explorer]
      
    • Return to OTMoveIt3, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Click Ok to allow OTMoveIt3 reboot your machine.
    • After reboot, a log file will appear. Copy the contents to the clipboard[/b] by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt3
     
  9. Wizardraz

    Wizardraz Thread Starter

    Joined:
    Dec 5, 2008
    Messages:
    21
    I've done the OTMoveIT3 process. Below is the text of the log.
    Note: The software did not have a check box for the zip file. Also when the laptop rebooted it did not re-open OTMoveIT3.

    Whats next?

    ========== PROCESSES ==========
    Unable to kill process: explorer
    ========== FILES ==========
    DllUnregisterServer procedure not found in c:\windows\system32\eapsvc32.dll
    c:\windows\system32\eapsvc32.dll NOT unregistered.
    c:\windows\system32\eapsvc32.dll moved successfully.
    ========== REGISTRY ==========
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLS"|"" /E : value set successfully!
    Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c45ff7c6509\\ deleted successfully.
    ========== COMMANDS ==========
    File delete failed. C:\DOCUME~1\Erasmo\LOCALS~1\Temp\ZLT054b4.TMP scheduled to be deleted on reboot.
    File delete failed. C:\DOCUME~1\Erasmo\LOCALS~1\Temp\~DF312D.tmp scheduled to be deleted on reboot.
    File delete failed. C:\DOCUME~1\Erasmo\LOCALS~1\Temp\~DF85E4.tmp scheduled to be deleted on reboot.
    User's Temp folder emptied.
    User's Temporary Internet Files folder emptied.
    User's Internet Explorer cache folder emptied.
    Local Service Temp folder emptied.
    File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
    Local Service Temporary Internet Files folder emptied.
    Windows Temp folder emptied.
    Java cache emptied.
    FireFox cache emptied.
    Temp folders emptied.
    Explorer started successfully

    OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12082008_171502
    Files moved on Reboot...
    File C:\DOCUME~1\Erasmo\LOCALS~1\Temp\ZLT054b4.TMP not found!
    File C:\DOCUME~1\Erasmo\LOCALS~1\Temp\~DF312D.tmp not found!
    File C:\DOCUME~1\Erasmo\LOCALS~1\Temp\~DF85E4.tmp not found!
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
     
  10. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please post a fresh Hijackthis log. Thanks
     
  11. Wizardraz

    Wizardraz Thread Starter

    Joined:
    Dec 5, 2008
    Messages:
    21
    Here is the latest hijackthis log.



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:45:04 PM, on 12/8/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Toshiba\Tvs\TvsTray.exe
    C:\WINDOWS\system32\ZoomingHook.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\TCtrlIOHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE
    C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\TPSBattM.exe
    c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\Common Files\AOL\1166848557\ee\aolsoftware.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: (no name) - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE"
    O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe"
    O4 - HKLM\..\Run: [CTFeatureModeUtility] C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
    O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    O20 - AppInit_DLLs: C:\WINDOWS\System32\eapsvc32.dll
    O20 - Winlogon Notify: c45ff7c6509 - C:\WINDOWS\System32\eapsvc32.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    --
    End of file - 9803 bytes
     
  12. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    1. Please download The Avenger2 by Swandog46 to your Desktop.
    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the avenger folder to your desktop
    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Code:
    Files to delete:
    C:\WINDOWS\System32\eapsvc32.dll
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c45ff7c6509
    Registry values to replace with dummy:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLS
    

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
    • Right click on the window under Input script here:, and select Paste.
    • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger¬ís actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .
     
  13. Wizardraz

    Wizardraz Thread Starter

    Joined:
    Dec 5, 2008
    Messages:
    21
    I ran avenger. Below is the log followed by a new Hijackthis log.

    What's next?

    I knew my infection is bad. After Avenger, the restart was quicker than it has been in a while.

    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////
    Platform: Windows XP (build 2600, Service Pack 3)
    Mon Dec 08 21:27:21 2008
    21:26:56: Error: Invalid registry syntax in command:
    "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLS"
    Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
    Skipping line. (Registry value replacement mode)

    //////////////////////////////////////////

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com
    Platform: Windows XP
    *******************
    Script file opened successfully.
    Script file read successfully.
    Backups directory opened successfully at C:\Avenger
    *******************
    Beginning to process script file:
    Rootkit scan active.
    No rootkits found!
    File "C:\WINDOWS\System32\eapsvc32.dll" deleted successfully.
    Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c45ff7c6509" deleted successfully.
    Completed script processing.
    *******************
    Finished! Terminate.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:33:35 PM, on 12/8/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\Toshiba\Tvs\TvsTray.exe
    C:\WINDOWS\system32\ZoomingHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\TCtrlIOHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE
    C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: (no name) - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE"
    O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe"
    O4 - HKLM\..\Run: [CTFeatureModeUtility] C:\Program Files\Creative\Sound Blaster Audigy 2\Feature Mode Utility\CTModUtl.exe
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
    O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    O20 - AppInit_DLLs: C:\WINDOWS\System32\eapsvc32.dll
    O20 - Winlogon Notify: c45ff7c6509 - C:\WINDOWS\
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    --
    End of file - 9525 bytes
     
  14. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    1) Run Spybot-S&D
    2) Go to the Mode menu, and make sure "Advanced Mode" is selected
    3) On the left hand side, choose Tools -> Resident
    4) Uncheck "Resident TeaTimer" and OK any prompts
    5) Restart your computer.



    Run HijackThis, and press "Do a System Scan Only".
    1. When the scan is complete place a check mark next to the following entries:

    O20 - AppInit_DLLs: C:\WINDOWS\System32\eapsvc32.dll
    O20 - Winlogon Notify: c45ff7c6509 - C:\WINDOWS\

    2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...
     
  15. sjpritch25

    sjpritch25 Malware Specialist

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    After reboot, please post a fresh HIjackthis log.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/776561

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice